January 15, 2025

Cloudera Operational Database supports Security-Enhanced Linux (SELinux) enforcement

Cloudera Operational Database supports creating a database with SELinux enforcement using the Cloudera Operational Database CLI. You must have the CDP_SECURITY_ENFORCING_SELINUX entitlement to be able to use the SELinux support. Please contact Cloudera support if you do not have this entitlement.

The SELinux allows you to set access control through policies. You can set the SELinux mode while creating a new operational database. You can define the SELinux mode using the seLinux parameter in the create-database command. The supported SELinux modes are:

• ENFORCING: Enables SELinux in enforced mode, actively applying security policies.
• PERMISSIVE (default): Sets SELinux to permissive mode, logging any security violations without enforcing policies.

If you do not define the seLinux parameter, by default, the PERMISSIVE mode is applied.

The following example shows usage of the seLinux parameter.

opdb create-database --environment-name [***ENVIRONMENT_NAME***] --database-name [***DATABASE_NAME***] --security-request '{"seLinux": string}'

opdb create-database --environment-name cod-7218-micro1 --database-name testDB --security-request '{"seLinux": "ENFORCING"}'

opdb create-database --environment-name cod-7218-micro1 --database-name testDB --security-request '{"seLinux": "PERMISSIVE"}'

For more information, see Cloudera CLI documentation and Setting SELinux Mode.

Assign ODAdmin role at the database level

Cloudera Operational Database supports setting a user as an ODAdmin at the database level. In earlier versions of the Cloudera Operational Database, you could set the ODAdmin at the environment level only, however, for better usability and enhanced security, now you can set it at the database level too.